Our first attempt at making an OpenVPN connection between our satellite office and our main office worked after a fashion - The satellite office could connect and use anything in the main office except our VoIP would only work one way - and it seems like the answer to this problem is to bridge the two networks, so that the client network is visible to the server network and vice versa. So I carefully read and followed the documentation at https://openvpn.net/index.php/open-sour ... dging.html. We also rearranged our network so that the main office used the network 192.168.0.1/25 and the satellite office used 192.168.0.128/25
However, after the VPN connection is completed, the OpenVPN server stops responding completely over the network, and this is what we see in our syslog:
Code: Select all
Apr 21 12:11:42 test-PBX ovpn-server[4399]: X.X.X.X:33261 TLS: Initial packet from [AF_INET]X.X.X.X:33261, sid=8a4ed57b f5a77a1a
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 VERIFY OK: depth=1, C=CA, ST=BC, L=Burnaby, O=ourcompany Inc., CN=office.ourdomain.com, name=ldinfo, emailAddress=ernied@ourdomain.com
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 VERIFY OK: depth=0, C=CA, ST=BC, L=Burnaby, O=ourcompany Inc., CN=office2, name=ldinfo, emailAddress=ernied@ourdomain.com
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 [office2] Peer Connection Initiated with [AF_INET]X.X.X.X:33261
Apr 21 12:11:44 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 MULTI_sva: pool returned IPv4=192.168.0.128, IPv6=(Not enabled)
Apr 21 12:11:44 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 MULTI: Learn: 00:ff:d5:8a:89:58 -> office2/X.X.X.X:33261
Apr 21 12:11:46 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 PUSH: Received control message: 'PUSH_REQUEST'
Apr 21 12:11:46 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 send_push_reply(): safe_cap=940
Apr 21 12:11:46 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 SENT CONTROL [office2]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 206.12.82.130,dhcp-option DNS 8.8.8.8,route-gateway 192.168.0.2,ping 10,ping-restart 120,ifconfig 192.168.0.128 255.255.255.0' (status=1)
Apr 21 12:12:06 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 MULTI: Learn: 10:bd:18:12:dc:34 -> office2/X.X.X.X:33261
Apr 21 12:16:06 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 [office2] Inactivity timeout (--ping-restart), restarting
Apr 21 12:16:06 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 SIGUSR1[soft,ping-restart] received, client-instance restarting
Server config
local 192.168.0.32
port 1194
proto udp
dev tap0
ca ca.crt
cert ldinfo.crt
key ldinfo.key # This file should be kept secret
dh dh2048.pem
server-bridge 192.168.0.32 255.255.255.0 192.168.0.128 192.168.0.254
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
port 1194
proto udp
dev tap0
ca ca.crt
cert ldinfo.crt
key ldinfo.key # This file should be kept secret
dh dh2048.pem
server-bridge 192.168.0.32 255.255.255.0 192.168.0.128 192.168.0.254
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
client config
client
dev tap
proto udp
remote office.ourdomain.com 1194
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ns-cert-type server
comp-lzo adaptive
dev tap
proto udp
remote office.ourdomain.com 1194
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ns-cert-type server
comp-lzo adaptive
Code: Select all
#!/bin/sh
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.32"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw 192.168.0.1